Privacy Policy
Last updated: [EFFECTIVE DATE]
Template pending legal review. Every [BRACKETED] item must be completed and the whole document reviewed by a lawyer in your jurisdiction before launch. It is written to reflect what the LessCal app actually does today, but it is not legal advice.
Contents
1. Who we are
LessCal ("LessCal", "we", "us") is a nutrition-tracking application operated by [LEGAL ENTITY NAME], registered at [REGISTERED ADDRESS], company number [COMPANY NUMBER]. We are the data controller for the personal data described in this policy.
If you are in the EU/EEA and we are required to appoint one, our representative is [EU REPRESENTATIVE, IF APPLICABLE].
2. What we collect
Information you give us
- Account data: your email address and a securely hashed password. We never store your password in readable form.
- Profile and health data: biological sex, age, height, weight and activity level, plus your goal (lose, maintain or build). We use these to calculate your daily calorie target.
- Questionnaire answers: the answers you give in our onboarding quiz (eating habits, obstacles, diet, water and sleep).
- Food and activity log: the meals, portions, water and weight entries you record, including photos of your food.
Information we collect automatically
- Usage data: pages viewed, features used, and timestamps.
- Device and technical data: IP address, browser type, operating system.
- Cookies: a session cookie to keep you logged in, and a referral cookie (
lesscal_ref, 30 days) if you arrive through an affiliate link. See Cookies below.
Information from others
- Payment data from our payment processor. If you subscribe, our processor tells us your subscription status and the last four digits and brand of your card. We never receive or store your full card number.
3. Your food photos
This is the most sensitive part of the service, so we want to be explicit:
- When you photograph a meal, the image is sent to Google's Gemini AI to identify the foods and estimate portions and nutrients.
- The analysis result (foods, calories, macronutrients) is saved to your diary so you can review your history.
- Photos are processed for the sole purpose of producing that analysis. We do not sell them, and we do not use them to advertise to you.
- Google processes the image under its own terms as our processor. [CONFIRM WHICH GEMINI TIER YOU USE — the free tier may allow Google to use submitted content to improve its models; a paid tier generally does not. State the answer here plainly before launch.]
- Please avoid capturing other people, documents or identifying details in the background of your food photos.
4. How we use your data
- To create and secure your account and keep you logged in.
- To calculate your calorie and macronutrient targets.
- To analyse your food photos and maintain your diary, history and progress charts.
- To generate AI meal plans and recipes when you request them.
- To take payment and manage your subscription and free trial.
- To attribute affiliate referrals and calculate commissions.
- To fix bugs, monitor abuse, and improve the product.
- To contact you about the service (and, only with your consent, about marketing).
We do not sell your personal data, and we do not use your health data for advertising.
5. Legal bases (GDPR)
Where the GDPR applies, we rely on:
- Contract — to provide the service you signed up for (account, tracking, billing).
- Explicit consent — for health-related data (your weight, body metrics and food photos), which is a special category of data under Article 9. You may withdraw consent at any time by deleting the data or your account.
- Legitimate interests — security, fraud prevention, and improving the product, balanced against your rights.
- Legal obligation — tax and accounting records.
6. Who we share data with
We share data only with service providers who process it on our behalf:
- Google (Gemini AI) — food photo analysis, meal plan and recipe generation.
- Open Food Facts — a free public food database queried when you search a food or scan a barcode. Your query is sent; your identity is not.
- Stripe — payment processing and subscription management.
- Our hosting provider ([HOSTING PROVIDER AND COUNTRY]) — where the application and database run.
- Email provider ([EMAIL PROVIDER, IF ANY]) — transactional email.
We may also disclose data if required by law, or in connection with a merger or acquisition (in which case we will notify you).
7. Cookies
- Essential: a session cookie that keeps you logged in. The service cannot work without it.
- Referral:
lesscal_ref, stored for 30 days, to credit the affiliate who referred you. - [IF YOU ADD ANALYTICS OR AN ADVERTISING PIXEL, LIST IT HERE AND ADD A CONSENT BANNER — required in the EU/UK.]
8. How long we keep it
- Account, profile and diary data: for as long as your account is active.
- After you delete your account: erased within [30] days, except where we must keep records longer.
- Billing records: retained as required by tax law (typically [7] years).
- Backups: purged on our normal backup rotation, within [90] days.
9. Your rights
Depending on where you live, you may have the right to:
- Access a copy of your data, and receive it in a portable format.
- Correct data that is inaccurate.
- Delete your data ("right to be forgotten").
- Restrict or object to certain processing.
- Withdraw consent at any time, without affecting processing already carried out.
- Lodge a complaint with your data protection authority.
To exercise any of these, email privacy@lesscal.app. We respond within 30 days.
California residents: we do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not discriminate against you for exercising your rights.
10. Security
We use HTTPS in transit, hashed passwords (bcrypt), signed session cookies, and access controls limiting who on our team can reach production data. No system is perfectly secure, but if a breach affects your rights we will notify you and the relevant authority as the law requires.
11. Children
LessCal is not intended for anyone under [16]. We do not knowingly collect data from children. If you believe a child has given us data, contact us and we will delete it.
12. International transfers
Our providers may process data outside your country, including in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses or an adequacy decision to protect those transfers.
13. Changes to this policy
If we make a material change we will notify you by email or in the app before it takes effect. The date at the top of this page always shows the current version.
14. Contact
Questions about privacy: privacy@lesscal.app
Postal address: [REGISTERED ADDRESS]
Data protection officer: [DPO NAME/EMAIL, IF REQUIRED]